DOM XSS in https://demo.librenms.org/outages in librenms/librenms

Valid

Reported on

Aug 18th 2023


Description I noticed, your website is very secure.

But you overlooked a flaw XSS

Detail:

1 .Login with demo account.

2 .Go to the link: https://demo.librenms.org/outages and click Filter

3 .Use burp suite to block proxy and inject payload:

   "><script>alert(document.cookie)</script>

4 .Check, detect xss

Proof of Concept

Video Poc

https://drive.google.com/file/d/11-ym5OnHIkZJuOsauZEO6pRhMiSTAlqv/view?usp=sharing

Impact

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the librenms team within 24 hours. 6 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 6 months ago
HaiNguyen modified the report
6 months ago
HaiNguyen modified the report
6 months ago
We have contacted a member of the librenms team and are waiting to hear back 6 months ago
HaiNguyen modified the report
6 months ago
HaiNguyen
6 months ago

Researcher


hi, any update for this?

HaiNguyen
6 months ago

Researcher


hi, any update for this?

HaiNguyen
6 months ago

Researcher


HI @Tony Murray,Hope you are interested in this report, thanks a lot.

HaiNguyen
5 months ago

Researcher


@mantainer? any update on this?

Tony Murray validated this vulnerability 5 months ago

This works but only if included in both to and from, but I don't understand why. The javascript looks like it wouldn't leak the html. I can fix this without knowing why it works, but I would appreciate an explanation if you can.

hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 23.9.0 with commit 49d66f 5 months ago
The fix bounty has been dropped
HaiNguyen
5 months ago

Researcher


Hi, the 2 data fields are time selections. User cannot insert payload. However, when using Burp Suite, the payload will be inserted into data fields easily. It will break the structure of the data field website, causing XSS to occur. To fix this, you can strip the input character. Or default the input to time, if there are strange characters it will give an error warning.

This vulnerability has now been published 5 months ago
to join this conversation